wpa_supplicant 2.6 HWMP routes no traffic

Bob Copeland me at bobcopeland.com
Tue Oct 4 04:20:38 PDT 2016

On Tue, Oct 04, 2016 at 12:44:32PM +0200, Jeroen Roovers wrote:
> Command:
> /usr/sbin/wpa_supplicant -c/etc/wpa-mesh.conf -s -i wlan1 -Dnl80211 -P
> /var/run/wpa.pid -B -d
> Configuration (/etc/wpa-mesh.conf):
> user_mpm=1
> update_config=1
> network={
>         mode=5
>         ssid="xxx"
>         frequency=2412
>         proto=RSN
>         key_mgmt=SAE
>         pairwise=CCMP
>         group=CCMP
>         psk="xxx"
> }
> This is an IEEE 802.11s network using a kernel 3.4.112 with a modified
> rt2800usb driver for the RT2870 USB wireless modules.
> With version 2.5 this gives me a nicely working secure mesh network.
> With 2.6 peering works, but I only see broadcast packets and no direct
> communications between peers are coming through. It looks like routing
> fails most of the time.

wpa_supplicant mostly isn't involved in HWMP besides installing the
group keys - once peering is done, the kernel handles the rest.

Note there were a number of issues with encrypted networks not
correctly implementing the standard that were resolved recently.
These will cause backwards-compatibility issues, though I'm not
sure if they landed in 2.6.  The changes are:

In wpa_supplicant:
 - an IGTK was installed whether or not ieee80211w was selected
 - said IGTK was also the MGTK instead of a separate key
 - AMPE element in peering frames didn't include IGTK (if desired)
 - AMPE element incorrectly included keys in peering close frames

And in the kernel:
 - self-protected management frames (HWMP) were integrity protected
   (with that MGTK-as-IGTK) instead of encrypted with MGTK as required
   by the standard.  This was fixed in 4.8.

All of the above issues with wpa_supplicant were also fixed in the
master branch of authsae.

Do you have all of the devices on the same wpa_supplicant version?
If not, try that first.

If so, I might look at which keys are installed in the kernel; if
the kernel is expecting protected management frames for HWMP then they
will need to have the IGTK installed (ieee80211w enabled).

Bob Copeland %% http://bobcopeland.com/

More information about the Hostap mailing list